#!/bin/bash
set -euo pipefail

# gameadm Production Host Setup
# Konfiguriert Single-Host Production mit Podman + systemd/Quadlet

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
GAMEADM_USER="gameadm"

# Farben für bessere Ausgabe
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

log() {
    local level="$1"
    shift
    local message="$*"
    
    case "$level" in
        "INFO")  echo -e "${GREEN}[prod-setup]${NC} $message" ;;
        "WARN")  echo -e "${YELLOW}[prod-setup]${NC} $message" ;;
        "ERROR") echo -e "${RED}[prod-setup]${NC} $message" ;;
        "DEBUG") echo -e "${BLUE}[prod-setup]${NC} $message" ;;
    esac
}

# Prüfe Root-Berechtigung
check_root() {
    if [[ $EUID -ne 0 ]]; then
        log "ERROR" "Dieses Skript muss als root ausgeführt werden"
        log "INFO" "Verwenden Sie: sudo $0"
        exit 1
    fi
}

# Erstelle gameadm User
create_gameadm_user() {
    log "INFO" "Erstelle gameadm User für Production..."
    
    if ! id "$GAMEADM_USER" &>/dev/null; then
        useradd -m -s /bin/bash "$GAMEADM_USER"
        log "INFO" "User '$GAMEADM_USER' erstellt"
    else
        log "INFO" "User '$GAMEADM_USER' existiert bereits"
    fi
    
    # Sudo-Rechte für gameadm (für systemd/container management)
    cat > "/etc/sudoers.d/$GAMEADM_USER" <<EOF
# gameadm Production User Rechte
$GAMEADM_USER ALL=(ALL) NOPASSWD: /bin/systemctl
$GAMEADM_USER ALL=(ALL) NOPASSWD: /usr/bin/podman
$GAMEADM_USER ALL=(ALL) NOPASSWD: /usr/local/bin/gameadm*
$GAMEADM_USER ALL=(ALL) NOPASSWD: /bin/cp /tmp/gameadm-update/* /usr/local/bin/
$GAMEADM_USER ALL=(ALL) NOPASSWD: /bin/cp -r /tmp/gameadm-update/* /etc/gameadm/
EOF
    
    log "INFO" "Sudo-Rechte für '$GAMEADM_USER' konfiguriert"
}

# Installiere Abhängigkeiten
install_dependencies() {
    log "INFO" "Installiere Production-Abhängigkeiten..."
    
    # Erkenne Distribution
    if command -v apt &> /dev/null; then
        # Debian/Ubuntu
        apt update
        apt install -y podman systemd curl openssh-server rsync
    elif command -v yum &> /dev/null; then
        # RHEL/CentOS
        yum install -y podman systemd curl openssh-server rsync
    elif command -v zypper &> /dev/null; then
        # openSUSE
        zypper install -y podman systemd curl openssh rsync
    elif command -v apk &> /dev/null; then
        # Alpine
        apk add --no-cache podman openrc curl openssh rsync
    else
        log "WARN" "Unbekannte Distribution - manuelle Installation erforderlich"
    fi
    
    log "INFO" "Abhängigkeiten installiert"
}

# Konfiguriere Rootless Podman
setup_rootless_podman() {
    log "INFO" "Konfiguriere Rootless Podman für '$GAMEADM_USER'..."
    
    # User Linger aktivieren
    loginctl enable-linger "$GAMEADM_USER"
    log "INFO" "User Linger aktiviert"
    
    # Cgroups Delegation
    mkdir -p /etc/systemd/system/user@.service.d/
    cat > /etc/systemd/system/user@.service.d/delegate.conf <<EOF
[Service]
Delegate=yes
EOF
    
    systemctl daemon-reload
    log "INFO" "Cgroups Delegation konfiguriert"
    
    # Subuid/Subgid für gameadm User
    if ! grep -q "^$GAMEADM_USER:" /etc/subuid; then
        echo "$GAMEADM_USER:100000:65536" >> /etc/subuid
        echo "$GAMEADM_USER:100000:65536" >> /etc/subgid
        log "INFO" "Subuid/Subgid für '$GAMEADM_USER' konfiguriert"
    fi
    
    # Podman Socket für User aktivieren
    sudo -u "$GAMEADM_USER" systemctl --user enable podman.socket
    sudo -u "$GAMEADM_USER" systemctl --user start podman.socket
    log "INFO" "Podman Socket aktiviert"
}

# Konfiguriere systemd/Quadlet
setup_quadlet() {
    log "INFO" "Konfiguriere systemd/Quadlet..."
    
    # Quadlet-Verzeichnisse erstellen
    mkdir -p /etc/containers/systemd
    sudo -u "$GAMEADM_USER" mkdir -p "/home/$GAMEADM_USER/.config/containers/systemd"
    
    log "INFO" "Quadlet-Verzeichnisse erstellt"
    
    # Auto-Update Timer aktivieren
    systemctl enable podman-auto-update.timer
    systemctl start podman-auto-update.timer
    log "INFO" "Podman Auto-Update Timer aktiviert"
}

# Konfiguriere SSH für Deployments
setup_ssh() {
    log "INFO" "Konfiguriere SSH für Deployments..."
    
    # SSH Service aktivieren
    systemctl enable sshd
    systemctl start sshd
    
    # SSH-Directory für gameadm User
    sudo -u "$GAMEADM_USER" mkdir -p "/home/$GAMEADM_USER/.ssh"
    sudo -u "$GAMEADM_USER" chmod 700 "/home/$GAMEADM_USER/.ssh"
    
    log "INFO" "SSH für Deployments konfiguriert"
    log "INFO" "Fügen Sie den Public Key der CI/CD Pipeline hinzu:"
    log "INFO" "  /home/$GAMEADM_USER/.ssh/authorized_keys"
}

# Konfiguriere Firewall
setup_firewall() {
    log "INFO" "Konfiguriere Firewall für Game Servers..."
    
    # Ports für Game Server öffnen
    if command -v ufw &> /dev/null; then
        # Ubuntu/Debian UFW
        ufw allow 22/tcp     # SSH
        ufw allow 25565/tcp  # Minecraft
        ufw allow 28015/tcp  # Rust Game
        ufw allow 28016/tcp  # Rust RCON
        ufw --force enable
    elif command -v firewall-cmd &> /dev/null; then
        # RHEL/CentOS firewalld
        firewall-cmd --permanent --add-port=22/tcp
        firewall-cmd --permanent --add-port=25565/tcp
        firewall-cmd --permanent --add-port=28015/tcp
        firewall-cmd --permanent --add-port=28016/tcp
        firewall-cmd --reload
    else
        log "WARN" "Firewall manuell konfigurieren:"
        log "INFO" "  Ports: 22 (SSH), 25565 (Minecraft), 28015+28016 (Rust)"
    fi
    
    log "INFO" "Firewall konfiguriert"
}

# Erstelle Monitoring Setup
setup_monitoring() {
    log "INFO" "Erstelle Monitoring Setup..."
    
    # Health Check Skript
    cat > /usr/local/bin/gameadm-health-check <<'EOF'
#!/bin/bash
# gameadm Health Check für Production Monitoring

echo "=== gameadm Production Health Check ==="
echo "Timestamp: $(date)"
echo

echo "=== systemd Services ==="
systemctl --user status minecraft rust --no-pager | head -30

echo
echo "=== Container Status ==="
sudo -u gameadm podman ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"

echo
echo "=== Port Status ==="
netstat -tlnp | grep -E "(25565|28015|28016)" || echo "Ports nicht aktiv"

echo
echo "=== Resource Usage ==="
free -h
df -h /srv/

echo "=== Health Check abgeschlossen ==="
EOF
    
    chmod +x /usr/local/bin/gameadm-health-check
    log "INFO" "Health Check Skript erstellt: /usr/local/bin/gameadm-health-check"
}

# Installation Summary
show_summary() {
    log "INFO" "Production Host Setup abgeschlossen!"
    echo
    echo "=========================="
    echo "gameadm Production Host"
    echo "=========================="
    echo "User: $GAMEADM_USER"
    echo "Rootless Podman: ✓"
    echo "systemd/Quadlet: ✓"
    echo "Auto-Updates: ✓"
    echo "SSH Deployments: ✓"
    echo "Monitoring: ✓"
    echo
    echo "Nächste Schritte:"
    echo "1. CI/CD Public Key hinzufügen:"
    echo "   /home/$GAMEADM_USER/.ssh/authorized_keys"
    echo
    echo "2. gameadm installieren:"
    echo "   curl -fsSL https://git.pp1l.de/pp1l/gameadm/raw/branch/main/install.sh | bash"
    echo
    echo "3. Games konfigurieren:"
    echo "   gameadm install minecraft"
    echo "   gameadm install rust"
    echo
    echo "4. Production Services deployen:"
    echo "   gameadm-quadlet setup rootless"
    echo "   gameadm-quadlet deploy minecraft"
    echo "   gameadm-quadlet deploy rust"
    echo
    echo "5. Services starten:"
    echo "   gameadm-quadlet start minecraft"
    echo "   gameadm-quadlet start rust"
    echo
    echo "Health Check: /usr/local/bin/gameadm-health-check"
    echo
}

# Hauptfunktion
main() {
    log "INFO" "Starte gameadm Production Host Setup..."
    
    check_root
    create_gameadm_user
    install_dependencies
    setup_rootless_podman
    setup_quadlet
    setup_ssh
    setup_firewall
    setup_monitoring
    show_summary
    
    log "INFO" "Setup erfolgreich abgeschlossen ✓"
}

# Hauptprogramm ausführen
main "$@"